Taxpayer First Act - Cybersecurity and Identity Protections

The Act requires IRS to work together with the public and private sectors to protect taxpayers from identity theft refund fraud.

Resources:

The Act adds the following to the current requirements regarding the Electronic Tax Administration Advisory Committee (ETAAC): ETAAC will study and make recommendations to IRS about additional ways to prevent identity theft and refund fraud.

Resources:

The Act authorizes IRS to participate in the Information Sharing and Analysis Center (ISAC). The Act allows the IRS to disclose certain return information to ISAC participants if the information helps with:

  • detecting or preventing identity theft tax refund fraud;
  • validating a taxpayer’s identity;
  • authenticating taxpayer returns, or
  • detecting or preventing cybersecurity threats to IRS.

Resources:

In the future, the IRS will not be able to provide taxpayer information to any contractors or other agents of a federal, state or local agency, unless the contractor is able to protect the confidentiality of return information and they agree to conduct on-site compliance reviews every three years. The federal, state or local agency is required to submit a report of its findings to IRS and certify every year that their contractors and other agents are meeting the requirements to protect the confidentiality of tax return information.

The Treasury Department is required to create a program to issue an IP PIN to any U.S. resident who requests one. And the Treasury Department is required to expand the issuance of IP PINs every year to people living in states that IRS determines are appropriate, as long as the number of states served by the program continues to increase.

Resources:

The Act requires IRS to establish single-point-of contact procedures for taxpayers whose tax return processing has been delayed or negatively affected by tax-related identity theft. The contact will track the taxpayer’s case to completion and coordinate with other IRS employees to resolve case issues as quickly as possible.

Resources:

Effective January 1, 2020, the Act requires IRS to notify a taxpayer:

  • If it finds any suspected unauthorized use of a taxpayer’s identity, or the identity of any of the taxpayer’s dependents,
  • If the IRS has initiated an investigation of the suspected identify theft and the status of the investigation,
  • Whether the investigation proved unauthorized use of the taxpayer’s identity, and
  • Whether any action has been taken (such as a referral for prosecution).

Also, when an individual is charged with identity theft, IRS must notify the victim as soon as possible, giving them the ability to pursue civil action against the suspect.

In this case, the unauthorized use of someone’s identity includes when it is used to obtain employment.

Resources:

The Act requires that IRS, in consultation with the National Taxpayer Advocate (NTA), develop and implement publicly available caseworker guidelines that reduce the burdens for identity theft tax refund fraud (IDTTRF) victims as they work with IRS to sort out their tax issues. These guidelines must be implemented no later than July 2, 2020 and may include procedures to reduce the:

  • amount of time victims would wait to receive their tax refunds,
  • the number of IRS employees with whom victims would need to interact, and
  • the timeframe to resolve the issues related to the IDTTRF.

Resources:

The Act increases the civil penalty for the unauthorized disclosure or use of information by tax return preparers. The former penalty was $250 and the new amount is$1,000. The penalty applies to cases in which the disclosure or use is made in connection with a crime relating to the misuse of another person’s taxpayer identity (“taxpayer identity theft”).

The Act also increases the calendar year limit from $10,000 to $50,000. The calendar year limit is applied separately with respect to disclosures or uses made in connection with taxpayer identity theft.

The Act also increases the criminal penalty for knowing or reckless conduct to $100,000 in the case of disclosures or uses in connection with taxpayer identity theft.

Resources:

Section 2202 of the Taxpayer First Act amended the provisions of IRC section 6103(c) by adding the following language: "Persons designated by the taxpayer under this subsection to receive return information shall not use the information for any purpose other than the express purpose for which consent was granted and shall not disclose return information to any other person without the express permission of, or request by, the taxpayer."

This provision limits the redisclosure and use of return information in the case of taxpayers who have consented to the disclosure of their return information by the Internal Revenue Service to a third party under IRC section 6103(c). Section 2202 of the Taxpayer First Act applies only to disclosures made by the Internal Revenue Service after December 28, 2019, and any subsequent redisclosures and uses of such information disclosed by the Internal Revenue Service after December 28, 2019.

Feedback?

Do you have feedback you’d like to share as we continue to implement the Taxpayer First Act? Please send it to TFAO@irs.gov.